Data Principal Rights Under DPDP: Access, Correction, Erasure, and Nomination
Most businesses reading the DPDP Act for the first time focus on their own obligations. That is understandable; Sections 8 and 10 spell out what Data Fiduciaries must do, and the penalty schedule at the back of the Act makes the consequences vivid. But the Act's architecture rests on a reciprocal structure that many compliance teams gloss over: the rights it gives to individuals, and the corresponding duties it imposes on them.
Sections 11 through 15 of the DPDP Act 2023 establish four affirmative rights for Data Principals and a set of duties that constrain how those rights may be exercised. If your organisation processes personal data of individuals in India, you are required to build the infrastructure that makes these rights exercisable. Not eventually. By May 13, 2027.
Key Takeaways
- The DPDP Act 2023 grants Data Principals four core rights: access to information (Section 11), correction and erasure (Section 12), grievance redressal (Section 13), and nomination (Section 14).
- Under the DPDP Rules 2025, Data Fiduciaries must respond to all Data Principal requests within 90 days.
- Data Principals also have legally enforceable duties under Section 15, including a prohibition on filing false complaints, with penalties up to ₹10,000.
- The right to nominate is unique to Indian data protection law and has no direct equivalent in GDPR, CCPA, or any other major privacy framework.
- Businesses must provide a publicly accessible mechanism (website, app, or portal) for Data Principals to submit requests using an identifier issued by the fiduciary.
What is a Data Principal Under the DPDP Act?
Before getting into the rights themselves, the terminology matters. Section 2(j) of the DPDP Act 2023 defines a Data Principal as "the individual to whom the personal data relates." If you collect someone's name, email, phone number, Aadhaar number, or payment details, that person is a Data Principal with respect to that data.
For children under 18, the Data Principal is the child, but rights are exercised by the parent or lawful guardian. For persons with disability, rights are exercised by the lawful guardian.
This is a deliberate terminological choice. The DPDP Act does not use the GDPR term "data subject." The word "principal" signals agency: this is not a passive subject of data processing but an individual with active, enforceable rights and corresponding duties.
What Are the Four Rights of a Data Principal?
The DPDP Act 2023 establishes four distinct rights across Sections 11 through 14. Each operates independently, and each requires your organisation to have operational processes in place. Here is what each right requires, what it actually means for your compliance infrastructure, and where businesses most commonly get it wrong.
Right to Access Information (Section 11)
Section 11(1) gives every Data Principal the right to obtain:
- A summary of personal data being processed and the processing activities undertaken
- The identities of all Data Fiduciaries and Data Processors with whom their personal data has been shared
- Any other information related to the personal data and its processing, as may be prescribed under the Rules
The operative word here is "summary." The Act does not require you to hand over raw database exports. It requires a comprehensible overview of what data you hold, what you are doing with it, and who else has access.
Under the DPDP Rules 2025, the response must be provided in digital form and within a maximum of 90 days from the date of request.
The common mistake I see: companies that treat access requests as one-off annoyances rather than building a repeatable workflow. When five customers ask in the same week, the manual approach breaks down. When a hundred ask after a publicised data incident, it collapses entirely.
Right to Correction and Erasure (Section 12)
Section 12 actually bundles four distinct operations into a single right:
- Correction of inaccurate personal data
- Completion of incomplete personal data
- Updating of personal data that is no longer current
- Erasure of personal data no longer necessary for the specified purpose
Section 12(3) is where the obligation sharpens: when a Data Principal withdraws consent, the Data Fiduciary must erase the personal data unless retention is required by law or for a purpose that still has a valid legal basis.
Section 12(4) adds a cascading obligation. If you have shared the Data Principal's personal data with another Data Fiduciary or Data Processor, you must ensure they also correct, complete, update, or erase the data. This is not optional. You cannot tell the Data Principal their data has been erased from your systems while copies persist in your vendor's databases.
| Operation | Trigger | Timeline | Cascading Obligation |
|---|---|---|---|
| Correction | Data Principal identifies inaccuracy | Within 90 days (DPDP Rules 2025) | Yes, to all recipients |
| Completion | Data is incomplete | Within 90 days | Yes, to all recipients |
| Update | Data is outdated | Within 90 days | Yes, to all recipients |
| Erasure | Purpose fulfilled or consent withdrawn | Within 90 days | Yes, to all recipients |
Where businesses get this wrong: they build the erasure mechanism for their primary database but forget about backups, analytics pipelines, third-party integrations, and cached copies. Section 12(4) does not distinguish between your production database and your data warehouse. If the personal data exists in any system under your control or under the control of a processor acting on your behalf, it needs to go.
Right of Grievance Redressal (Section 13)
Section 13 requires every Data Fiduciary to provide "readily available means of grievance redressal" for complaints related to:
- Any act or omission by the Data Fiduciary regarding its obligations under the Act
- The exercise of the Data Principal's rights
This is not a suggestion. It is a legal requirement to have an operational grievance mechanism before the enforcement date. The Data Principal must also be able to identify and contact the person responsible for addressing their grievance.
The DPDP Rules 2025 add a critical procedural requirement: the Data Principal must exhaust the Data Fiduciary's grievance mechanism before approaching the Data Protection Board of India. This means your internal process is the first line of adjudication. If it does not exist, the Data Principal can escalate directly, and your absence of a process becomes evidence of non-compliance.
There is a practical consequence here that I have seen trip up even well-intentioned companies. Section 13 implicitly requires you to maintain records of every grievance, the steps taken to address it, and the outcome. When a complaint reaches the DPBI, the Board will ask for your side of the story. "We don't have records of that interaction" is not a defensible answer.
Right to Nominate (Section 14)
This is the provision that makes the DPDP Act genuinely distinctive in global privacy law. Section 14 allows a Data Principal to nominate another individual to exercise their rights in two circumstances:
- Death of the Data Principal
- Incapacity of the Data Principal (defined as inability to exercise rights due to unsoundness of mind or infirmity of body)
The nominee steps into the Data Principal's shoes. They can exercise the right to access, the right to correction and erasure, and the right to grievance redressal, all on behalf of the original Data Principal.
No other major data protection law includes this provision. GDPR is silent on posthumous data rights. CCPA has limited provisions for authorised agents but nothing specific to death or incapacity. The DPDP Act's inclusion of this right reflects a practical reality of Indian family structures: when someone passes away or becomes incapacitated, family members need to manage their digital accounts, financial records, and personal data across dozens of services.
| Feature | DPDP Act 2023 (India) | GDPR (EU) | CCPA (California) |
|---|---|---|---|
| Explicit nomination right | Yes (Section 14) | No | No |
| Posthumous data rights | Through nominee | Left to member state law | Limited |
| Incapacity provisions | Explicitly defined | No specific provision | No specific provision |
| Who can exercise | Nominated individual | Varies by jurisdiction | Authorised agent (limited scope) |
For your compliance system, this means you need a mechanism for Data Principals to register a nominee, a process for verifying nominee claims when they arise, and workflows that allow the nominee to exercise all four rights on behalf of the Data Principal.
What Are the Duties of a Data Principal?
Most commentary on the DPDP Act stops at the rights. Section 15 is where the Act does something unusual: it imposes legally enforceable duties on the individuals whose data is being processed.
Under Section 15, every Data Principal must:
- Comply with applicable laws when exercising rights under the Act
- Not register false or frivolous complaints with a Data Fiduciary or the Data Protection Board
- Not furnish false particulars or suppress material information when exercising rights, making complaints, or providing personal data
- Not impersonate another person when providing personal data for a specified purpose
These are not aspirational guidelines. The Schedule to the DPDP Act prescribes a penalty of up to ₹10,000 for Data Principals who breach these duties. This is the only provision in the Act where individuals, rather than businesses, face financial penalties.
The inclusion of these duties serves a structural purpose beyond deterrence. It signals to the Data Protection Board that complaints should be evaluated on their merits, not rubber-stamped. A Data Fiduciary facing a complaint from a Data Principal has the right to point out if that complaint is frivolous or based on materially false information.
How Should Businesses Operationalise Data Principal Rights?
Understanding the legal text is step one. Building the systems to honour these rights at scale is where most companies stall. Here is what the DPDP Rules 2025 require in operational terms.
The Request Mechanism
Data Fiduciaries must provide a publicly accessible mechanism for Data Principals to submit requests. The DPDP Rules 2025 specify that this should be available through the Data Fiduciary's website, application, or a dedicated portal. The Data Principal submits their request using an identifier previously provided by the Data Fiduciary, such as a registered email address, phone number, or account ID.
This is not a contact form buried on your "About Us" page. It is a purpose-built interface where Data Principals can select the type of request (access, correction, erasure, grievance), provide the necessary identifying information, and receive acknowledgement.
The 90-Day Response Clock
Under the DPDP Rules 2025, the maximum response time for any Data Principal request is 90 days. This clock starts when the request is received through the designated mechanism. The Rules do not currently distinguish between simple requests (changing an email address) and complex ones (providing a comprehensive data access summary across multiple systems). All fall within the same 90-day window.
For reference, GDPR's equivalent timeline is 30 days with a possible 60-day extension. India's 90-day window is more generous, but it is also an outer limit, not a target. Responding in 88 days when the data is readily accessible in your CRM sends a signal about how seriously you take these rights.
Record-Keeping
Every request, every response, and every action taken must be documented. This is not explicitly stated as a standalone obligation in Section 11-14, but it follows necessarily from several other provisions:
- The DPBI will require evidence of your compliance when adjudicating complaints (Section 13)
- The Data Fiduciary's obligation to demonstrate compliance under the Act's accountability framework
- The requirement to prove erasure was actually carried out across all systems and processors (Section 12(4))
If you are building your DSR infrastructure from scratch, build the audit trail first. Everything else is a feature on top of that foundation.
What This Looks Like in Practice
Consider an e-commerce company with 50,000 active customer accounts. On any given month, they might receive:
- 15-20 access requests from customers wanting to know what data is held
- 30-40 correction requests (address changes, phone number updates)
- 5-10 erasure requests from customers who have closed their accounts
- 2-3 grievance complaints about marketing communications or data sharing
At that volume, a manual process with shared inboxes and spreadsheets is a compliance risk waiting to materialise. You need structured intake, automated routing, deadline tracking, and documented resolution for every single request.
For a deeper look at how Data Fiduciaries should structure their overall compliance program, see our complete guide to the DPDP Act 2023, which covers the full obligation framework, or our explainer on the DPDP Rules 2025 for the specific operational requirements that the Rules have added.
How Do DPDP Data Principal Rights Compare to GDPR?
Indian companies with European operations consistently ask whether their existing GDPR data subject rights infrastructure covers DPDP. The short answer: partially. The longer answer requires a section-by-section comparison.
| Right | DPDP Act 2023 | GDPR |
|---|---|---|
| Right to access | Summary of data and processing activities (Section 11) | Copy of personal data and detailed processing information (Article 15) |
| Right to correction | Correction, completion, updating (Section 12) | Rectification of inaccurate data (Article 16) |
| Right to erasure | Erasure when purpose fulfilled or consent withdrawn (Section 12) | "Right to be forgotten" with six specific grounds (Article 17) |
| Right to data portability | Not included in DPDP | Structured, machine-readable format (Article 20) |
| Right to restrict processing | Not included in DPDP | Temporary suspension of processing (Article 18) |
| Right to object | Not included in DPDP | Object to processing based on legitimate interest (Article 21) |
| Right to nomination | Explicit provision for death/incapacity (Section 14) | No equivalent provision |
| Right to grievance redressal | Mandatory internal mechanism (Section 13) | Right to lodge complaint with supervisory authority (Article 77) |
| Response timeline | 90 days (DPDP Rules 2025) | 30 days, extendable to 90 (GDPR Article 12) |
Three gaps stand out.
First, DPDP does not include a right to data portability. Under GDPR, Data Subjects can request their data in a structured, commonly used, machine-readable format and have it transmitted directly to another controller. The DPDP Act has no equivalent. This is a deliberate legislative choice, not an oversight.
Second, DPDP does not include a right to restrict processing or a right to object. Under GDPR, Data Subjects can demand that processing be paused while a dispute is resolved, or object entirely to processing based on legitimate interest. Since the DPDP Act does not include a "legitimate interest" legal basis, the right to object has no structural home.
Third, the nomination right goes further than anything in GDPR. If you have built a GDPR-compliant DSR portal, you will need to extend it with nomination registration, nominee verification, and posthumous data management workflows for DPDP compliance.
Where Does This Leave Significant Data Fiduciaries?
Entities designated as Significant Data Fiduciaries under Section 10 face the same Data Principal rights obligations as every other Data Fiduciary, but with an additional layer of scrutiny. SDFs are required to appoint a Data Protection Officer based in India, conduct periodic data protection impact assessments, and submit to independent data audits.
In practice, this means the DPBI will hold SDFs to a higher standard when evaluating how they handle Data Principal requests. An ordinary Data Fiduciary that takes 85 days to respond to an access request is within the Rules. A Significant Data Fiduciary doing the same will face questions about whether its DPO and compliance infrastructure are adequate.
As of February 2026, the Central Government has not yet published the criteria for SDF designation. But if your organisation processes data at significant scale, assuming you will be designated and building your rights infrastructure accordingly is the prudent approach.
Frequently Asked Questions
Can a Data Principal request access to all personal data a company holds about them?
Under Section 11 of the DPDP Act 2023, a Data Principal can request a summary of their personal data being processed, the processing activities undertaken, and the identities of all entities with whom their data has been shared. The Act requires a summary, not a complete raw export of every data point. The DPDP Rules 2025 require this summary to be provided in digital form within 90 days.
What happens if a business fails to respond to a Data Principal's rights request?
Failure to fulfil obligations under the DPDP Act can attract penalties of up to ₹50 crore per violation under Item 5 of the Schedule to the Act. Additionally, the Data Principal can escalate the matter to the Data Protection Board of India after exhausting the Data Fiduciary's internal grievance mechanism (Section 13). The Board has the power to investigate, impose penalties, and issue binding directions.
Does the right to erasure under DPDP apply retroactively to data collected before the Act?
The DPDP Act applies to all digital personal data processed after the enforcement date, regardless of when it was collected. Section 3 establishes this scope, and Section 5(2) specifically addresses pre-existing data by requiring Data Fiduciaries to issue retrospective notices to Data Principals whose data was collected before the Act. Once the Act is fully enforceable in May 2027, the right to erasure applies to all personal data held by the Data Fiduciary, including data collected years earlier.
How does the nomination right work in practice?
A Data Principal designates a nominee through the Data Fiduciary's designated platform. The nominee's identity and contact details are recorded. In the event of the Data Principal's death or incapacity, the nominee contacts the Data Fiduciary with appropriate proof (death certificate, medical certificate of incapacity). Once verified, the nominee can exercise all rights under the Act on behalf of the original Data Principal, including access, correction, erasure, and grievance redressal (Section 14).
Is there a penalty for Data Principals who file false complaints?
Yes. Section 15 of the DPDP Act 2023 imposes duties on Data Principals, including a prohibition on filing false or frivolous complaints and furnishing misleading information. The Schedule to the Act prescribes a maximum penalty of ₹10,000 for breach of these duties. This is the only provision in the Act where individuals face financial penalties.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
Building the infrastructure to handle Data Principal rights at scale, from access requests to nominee management, does not need to consume months of engineering time. ComplyZero provides a self-serve compliance platform with a built-in DSR portal, automated request tracking, and audit-ready records, designed specifically for Indian businesses navigating the DPDP Act.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
ComplyZero handles the complexity for you: consent management, privacy notices in 22 languages, DSR workflows, and audit-ready compliance records. Get your business DPDP-ready in minutes, not months.